Microsoft will be adding new data classification technology into its core products under a deal announced today by EMC's RSA security division that bridges Microsoft's infrastructure with RSA's data loss prevention (DLP) suite.
Analysts say the partnership could help standardize data classification, make infrastructure more content aware, enable companies to more easily define access policies and eventually automate and streamline data identification and classification.
Under the agreement, Microsoft will embed the classification technology into its platform and future security products. RSA's DLP Suite 6.5, shipping later this month, will be the first visible sign of the partnership. The suite has been retooled to be integrated with Microsoft Active Directory Rights Management Services within Windows Server 2008.
By integrating into Microsoft's Rights Management Services, companies using RSA's DLP suite will find it easier to set policies to flag sensitive data before it leaves the company walls, said Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC. Rights management allows users to set policies on specific data to either block it, send an alert email to end users or hand over a message containing sensitive data to an encryption product.
"The RSA suite will be able to scan content, linking into the RMS infrastructure," Mogull said. "It's something every DLP vendor is going to be doing."
RSA acquired most of its DLP technology from Tablus in 2007.The technology helps companies identify and protect sensitive intellectual property. It also monitors email and other network traffic to enforce policies restricting the flow of content outside company walls. RSA integrated most of the Tablus technology into its encryption and information management offerings.
"We think the future of much of our security technologies will be about deeper integration into core IT infrastructure," said Chris Young, senior vice president at RSA.
The partnership could help improve DLP adoption, but it will likely take years for Microsoft to embed data classification technology into its core products, Mogull said.
The goal of DLP is to stop sensitive information from leaving corporate networks, but data classification has been a sticking point. Many firms try to get a jump-start on data classification projects, but often get bogged down. Experts say that many companies are not well equipped to deal effectively with data classification. DLP tools have also been notoriously sluggish to use, but they have been getting better, said Jon Oltsik, a senior analyst at the Enterprise Strategy Group Inc.
"Microsoft benefits by establishing standards so they can make Windows the point of integration," Oltsik said of the partnership. "It brings DLP into more of the mainstream of document management, file management and security because now you can leverage surrounding tools and infrastructure with DLP."
Young said the RSA DLP suite has three major components: a classification engine, which helps configure the type of information that needs to be classified and acted upon, a content awareness capability to spot data at rest or in motion that needs to be flagged for some form of rights management, and an enterprise management console to allow companies to set policies.
Microsoft would announce when the classification engine is embedded in different pieces of its platform, Young said. The partnership is not exclusive and analysts say Microsoft could announce similar arrangements with other DLP vendors. Once Microsoft embeds data classification, customers will have the ability to manage DLP within Sharepoint, externally with a third-party technology or with RSA's enterprise management console, Young said.
Oltsik also said the deal also should improve enterprise rights management by making it easier for companies to assign rules to newly discovered data. But he said, yet to be answered is whether standards around metadata tagging will be developed as a result of the deal and whether standards emerge in the way devices share information about usage policy.
"What we've been missing is an ability to get granular with usage rules and that's one of the things that this is after," he said.